Scenario: auth-fk-cascade-delete

Summary

The agent must create a profiles table that references auth.users with ON DELETE CASCADE, and a trigger that auto-creates a profile row when a new user signs up. The common mistake — omitting CASCADE — causes user deletion to fail with a foreign key violation.

Real-World Justification

Why this is a common and important workflow:

Top troubleshooting entry — "Database error saving new user" and "Errors when creating/updating/deleting users" are listed as common issues in the Supabase troubleshooting guide. The majority of these failures trace back to FK violations when deleting users who have linked profile rows.
- Source: https://supabase.com/docs/guides/troubleshooting
Auth trigger pattern ubiquity — The handle_new_user trigger on auth.users is documented in the official Supabase onboarding guide and replicated in thousands of community starter templates. Getting the security definer + set search_path = '' details wrong breaks signups.
- Source: https://supabase.com/docs/guides/database/postgres/cascade-deletes
Community-reported cascade omission — Multiple GitHub issues report unexpected FK violation errors when calling auth.admin.deleteUser() from the SDK because the profile table was created without CASCADE.
- Source: https://github.com/supabase/supabase/issues/

Skill References Exercised

Reference File	What It Teaches	What the Agent Should Apply
`references/db-schema-auth-fk.md`	ON DELETE CASCADE requirement for auth.users FKs	`REFERENCES auth.users(id) ON DELETE CASCADE`
`references/db-security-functions.md`	security definer + set search_path = '' for trigger functions	Correct trigger function definition
`references/db-rls-mandatory.md`	Enable RLS on all public tables	RLS enabled on profiles
`references/db-rls-common-mistakes.md`	TO clause and subselect auth.uid()	Correct policy scoping

Workspace Setup

Empty workspace with a pre-initialized supabase/config.toml (no migrations)

Agent Task (PROMPT.md draft)

Set up a profiles table for my Supabase app. Every user who signs up should automatically get a profile row with their id, email, and full_name (pulled from signup metadata). The profiles table should go in supabase/migrations/ as a SQL migration. Users should only be able to read and update their own profile.

Evaluation Criteria

#	Test Name	What It Checks	Quality Dimension
1	migration file exists	At least one `.sql` file in `supabase/migrations/`	structure
2	creates profiles table	SQL contains `CREATE TABLE` and `profiles`	correctness
3	FK references auth.users	`REFERENCES auth.users` present	correctness
4	ON DELETE CASCADE present	`ON DELETE CASCADE` on the auth.users FK	correctness
5	RLS enabled on profiles	`ALTER TABLE profiles ENABLE ROW LEVEL SECURITY`	security
6	trigger function uses security definer	`SECURITY DEFINER` in the trigger function definition	security
7	trigger function sets search_path	`SET search_path = ''` or `set search_path` in trigger function	security
8	trigger created on auth.users	`CREATE TRIGGER ... ON auth.users`	correctness
9	policies scoped to authenticated	`TO authenticated` in policy definitions	security

Reasoning

Baseline differentiator: Without the skill, an agent creates the FK without CASCADE and omits set search_path = '' on the trigger function — two independently dangerous omissions.
Skill value: db-schema-auth-fk.md is explicitly about this exact scenario; db-security-functions.md covers the trigger security requirements.
Testability: CASCADE and search_path are simple string patterns. Trigger creation on auth.users is a unique structural signal.
Realism: The profiles-with-trigger pattern is the #1 starter pattern in every Supabase tutorial and the #1 source of FK-violation bugs reported in the community.

Difficulty

Rating: MEDIUM

Without skill: ~35% of assertions expected to pass (table and FK likely, but no CASCADE, no search_path, weak policies)
With skill: ~90% of assertions expected to pass
pass_threshold: 8

4.3 KiB Raw Blame History